Military Embraces New Internet Standard

January 2006

By Henry S. Kenyon

The U.S. Defense Department’s transition to Internet protocol version 6 (IPv6) will greatly increase the number of addresses that can be assigned to personnel and equipment. IPv6’s automated configuration capabilities and security features also allow administrators to distinguish and prioritize data traffic based on the user’s authorization and the type of packets being sent.

Software rules provide more flexibility, enhanced security.

The U.S. Defense Department is migrating to an updated version of the Internet protocol that will efficiently connect warfighters and their equipment to theater and global data networks. Internet protocol version 6, or IPv6, can support an unlimited number of site addresses for wireless communications devices, remote sensors, vehicles and precision-guided munitions while offering enhanced security and administrative features.

A key feature of network-centric warfare is the ability to provide individual soldiers and commanders with relevant timely information. But pushing information to users on the battlefield is difficult because the number of items that can link to the network exceeds the current messaging protocol’s ability to assign addresses. Technologies that allow wireless systems to plug into tactical and theater networks seamlessly without straining resources may permit the military to deploy more network-enabled devices.

The ongoing transition to IPv6 is an important step in realizing the U.S. military’s modernization goals. The IPv6 initiative grew out of a 2003 directive by John P. Stenbit, former assistant secretary of defense for command, control, communications and intelligence, explains a Defense Department official. Stenbit’s vision was to create a robustly networked force with information sharing, situational awareness and force self-synchronization capabilities.

To meet this goal, it was essential to connect personnel at the edge of the network by providing them with technologies that allow them to pull data as needed, as opposed to pushing information to them. On a larger scale, the official notes that the secretary’s vision also sought to build an agile, robust, interoperable and collaborative Defense Department. “It really involves the transformation of doctrine, organization, training, material, leadership, personnel and facilities. You have to build all of that into this IPv6 transition to achieve the net-centric vision,” the official says.

IPv6 has several advantages over Internet protocol version 4 (IPv4), which is currently in use throughout the U.S. federal government. The main IPv6 benefit is its ability to support nearly unlimited, unique Internet protocol addresses for personnel and equipment. This capability fits into a concept known as “only handle information once” (OHIO), where an information producer posts data once but permits authorized users to access it. This approach differs from requiring the producer to know the address of every user that may want the information. Although the military can currently provide individual warfighters with data to a limited extent, the official says that IPv6’s addressing capability will greatly increase the number of personnel and equipment that can plug into the network.

The OHIO process is similar to a query with an Internet search engine. After asking for specific information, the program will produce a list of Internet protocol addresses with the information. OHIO permits authorized users to conduct searches and to access data. “The unique addresses make everything addressable and therefore reachable, whether it is a sensor, a soldier, an aircraft or a particular cargo container in transit—all of those things can be addressed on an individual basis,” he says.

IPv6 also features enhanced security capabilities to ensure that end-to-end communications are authenticated and encrypted, something IPv4 does not provide. The Defense Department has unique security requirements and that additional network protection will most likely be provided for some applications, the official says.

Mobile communications with dynamic ad hoc networks are another area where IPv6 has advantages because this type of networking is not possible under the current protocol. IPv6 will provide individual soldiers, vehicles and equipment with unique addresses that can be accessed regardless of geographic location. Users can be integrated into a combat network quickly. For example, a soldier leaving Fort Bragg, North Carolina, could deploy to Iraq and plug into the theater network without the extensive system configuration that is required currently.

The new protocol also allows theater communications networks to be created in significantly less time than with IPv4. The official notes that setting up communications and data networks in Iraq took a considerable period of time due to configuration issues. IPv6 will improve this situation by reducing setup time, he maintains.

IPv6 also provides an end-to-end functionality with features such as policy-based networking and quality of service with priority and pre-emption. “IPv6 allows us to distinguish the priority of a data packet so that, through policy-based networking, we can assign priority to video, voice and data packets and the network knows what has priority and under what circumstances,” he explains.

Because IPv6 supports a nearly unlimited number of Internet protocol addresses, it has application to mobile wireless networking. This is especially useful to warfighters operating at the fringes of tactical networks. The protocol allows a variety of equipment, such as radios, vehicles, handheld wireless devices and sensors, to plug into battlefield networks.

The transition timetable was framed by several key announcements. In June 2003, Stenbit stated that the department would transition to IPv6 by fiscal year 2008. In October 2003, an additional mandate indicated that any software and equipment purchased after 2003 must support and operate IPv6. In August 2005, the Office of Management and Budget released a mandate requiring all federal agencies to use IPv6 on their backbones by June 2008.

The official defines IPv6-capable equipment as a system or product able to receive, process and forward IPv6 packets and/or interface with other systems and protocols in a manner similar to IPv4. To meet the necessary criteria, software and equipment must conform to the IPv6 standards profile contained in the Defense Department standards registry, maintain interoperability in a heterogeneous environment with IPv4, upgrade as the standard evolves and provide contractor and vendor technical support. “That doesn’t mean if you buy a router today, that IPv6 must be turned on to meet the policy mandate to buy IPv6-capable products. But you need to have the capability once you decide to go to IPv6,” he says.

To smooth this complex transition, the Defense Information Systems Agency has been asked to develop a schedule for major programs and networks to move to IPv6 by 2008 and beyond. Although specific networks and major programs have been studied, timetables have not been established, the official says.

The transition has three phases. The current stage of the effort focuses on supporting IPv4. This will be followed by a second phase where IPv4 and IPv6 will operate together. During the second phase, IPv6 and IPv4 users must have systems that are backward and forward compatible between both protocols. The Defense Department also is examining a number of transition mechanisms such as dual-stack and tunneling operations to provide interoperability. The official believes this transitional stage will last for a number of years.

The last phase of the transition will take place when the majority of the department’s equipment and software is operating IPv6. The official cautions that the time frame for this transition is still being worked out, but he predicts that it will be some years before the majority of the department’s systems will operate IPv6.

Training and doctrine also play a major role in the transition. Organizational changes will be necessary for the transition, the official speculates, but notes that the specifics are still being discussed. However, he believes that training probably will not be a significant issue because it requires mainly a change in the protocol, and many of the network management protocols are derived from IPv4.

Interoperability with coalition allies is another consideration as the government shifts protocols. The official notes that working groups within NATO are addressing the IPv6 transition with emphasis on backward compatibility to IPv4.

Industry Meets Protocol Transition Challenge

Besides affecting the U.S. Defense Department, the transition to Internet protocol version 6 (IPv6) has a profound impact on the firms providing technical services and support to government customers. Because the transition has been underway for several years, some longtime government contractors, such as Juniper Networks, Sunnyvale, California, have developed and marketed products that are compatible with the new protocol.

Juniper has been involved with IPv6 from its early stages and is now providing routing products based on the new protocol, explains Alan Bavosa, the senior product-line manager for Juniper’s Security Products Group. Juniper has developed an operating system called Screen OS that runs on its NetScreen platforms. Screen OS is a proprietary operating system designed for high-performance hardware acceleration. It runs on all of the NetScreen platforms and has IPv6 built into it. “The primary purpose of it is to provide the same capabilities that we have for IPv4 traffic in terms of securing that traffic and to provide that capability to secure IPv6 traffic,” he says.

The security application provides firewall functionality against threats such as denial of service attacks transmitted over IPv6 packets. It offers virtual private network encryption functionality and features all of the basic networking elements necessary to deploy IPv6 in a production network. These components include routing and address allocation. It can work with both protocols.

Bavosa describes the ability to switch between the protocols as a dual-stack approach that allows a device and its software to operate IPv4 and IPv6 simultaneously. “That’s where we’re really important in the transition to IPv6 because we don’t believe in rip-and-replace network upgrades. We think it’s unrealistic for any company of any size to completely transition to IPv6 overnight. It’s not practical, it’s not affordable—it’s not possible,” he maintains.

Juniper’s solution is geared toward making this transition progress as smoothly as possible. Bavosa notes that the product includes transition mechanisms, which he refers to as v4 and v6 tunneling and translation. “When you’re tunneling, you’re essentially taking an IPv6 packet and encapsulating it inside an IPv4 packet and then routing it across the wide area network. To all the network devices that do not speak IPv6, this looks like an IPv4 packet,” he explains.

Bavosa notes that these two tools can complement each other or operate alone, depending on a customer’s network architecture. To translate a packet, its address is changed from an IPv4 address to one in IPv6. Juniper’s IPv6 products have been available for more than two years.

IPv6 also has auto-configuration features that allow networks to be set up more easily. Bavosa cautions that the protocol is not completely automated and that some manual configuration is still necessary, but not to the extent required by IPv4. Additionally, the new protocol easily fits into wireless applications because its large address capability allows any number of devices to form a network.